UBOs Under the Radar

Although this particular example is fictitious, it exposes a real-world challenge. How can financial institutions identify seemingly upstanding individuals with ownership interests in a company who do not fall into any high-risk categories? In other words, they have no red flags, no adverse media, are not a politically exposed person (PEP), and are not sanctioned – yet they may be acting on behalf of another person who is involved with criminal activity.

Understanding UBOs

While there is no uniform agreement across jurisdictions, typically an ultimate beneficial owner (UBO) is defined as any individual that holds 10-25% or more of company’s shares or voting rights and who can exercise control of the underlying entity. However, for high-risk entities or PEPs, the ownership threshold can be 1% or less.

To prevent money laundering, terrorist financing, and other financial crimes, financial institutions are required to know who they do business with. That means identifying and verifying the true owners of an entity regardless of whether that entity is a customer or third-party.

On the face of it, the task of identifying a UBO seems simple. After all, how complicated can it be to figure out and verify the name of the owner(s) and major shareholders of a company?  In reality, it’s not that straightforward. 

Corporations, financial institutions, and high net worth individuals often use shell companies and offshore accounts with complex ownership structures that make it difficult to peel back layers and uncover the true stakeholders. The complexity is not an accident. It’s done to preserve anonymity. Although there is nothing inherently illegal in setting up a shell company or offshore account, the lack of transparency and ability to mask true owners make these structures a haven for fraud, money laundering, tax evasion and other illicit activities. Globalization has only provided a wider playing field with more choices and more places to hide.

Piercing the veil of secrecy

The Panama Papers is perhaps the most jarring example of how lax regulations can serve as a welcome mat for illicit activity. It was also a wake-up call for governments and financial institutions around the world. As a result, regulatory agencies have stepped up efforts to close loopholes and tighten UBO reporting requirements to prevent offshore accounts and shell companies from being used for fraud and financial crime.

In the U.S., the Financial Crimes Enforcement Network (FinCEN) Customer Due Diligence (CDD) Rule was passed in 2018 to “improve financial transparency” and make it harder for bad actors to hide illicit activities. The Rule requires financial institutions and other covered entities to identify and verify the beneficial owners of companies opening accounts, understand the nature of customer relationships, and conduct ongoing monitoring to identify suspicious transactions.  However, inconsistent disclosure requirements across the country continue to draw bad actors to the handful of states that require very little information to register a company. 

In September 2022, FinCEN announced the Corporate Transparency Act (CTA), “to protect U.S. national security and strengthen the integrity and transparency of the U.S. financial system.” The CTA will require companies registered in the U.S. to provide the name(s) of primary owner(s), birthdates, address and a “unique identifying number from an approved identification document.”  Information will be available to law enforcement, intelligence agencies and financial institutions in a confidential database of beneficial owners. The new law is expected to go into effect January 1, 2024.

The EU has also taken steps to close gaps in regulatory oversight and harmonize inconsistent regulations and reporting requirements. The 4th Anti-Money Laundering Directive required EU Member States to create registers of UBOs. It sets standards for the type of information that must be collected and its accessibility. As of 2022, 26 of the 27 Member States have created a register of UBOs.

The 5th AML Directive (5AMLD) took UBO transparency and reporting requirements one step further. It not only requires registers of UBOs to be publicly available but mandates that covered institutions consult UBO registers “while performing AML screening.”  Currently, some registries are publicly available as required by 5AMLD (e.g., France, Poland, Sweden), while others offer only limited access (e.g., Germany, Finland, Greece).

A range of risks

Ensuring UBOs are not linked to criminal activity or sanctioned entities is critical to an institution’s know your customer (KYC) and anti-money laundering efforts. Using UBO registers is a good start, but greater insight is needed. Financial institutions must be able to connect the dots between UBOs and their colleagues, business relationships, friends and other associates to identify hidden connections. Failure to understand these deeper relationships could lead to a range of risks, including:

Financial risk – Institutions that don’t meet the transparency and reporting requirements for beneficial owners could face monetary fines as well as regulatory action.

Criminal risk – A bank may be sued for negligence if failure to properly carry out its KYC obligations is proven to have abetted criminal activity.

Legal risk – License revocation is a potential penalty for any financial institution that does not meet AML requirements or remedy breaches in oversight.

Reputational risk – No financial institution wants to see its name splashed over the media as having lax processes that might have supported fraud, money laundering, corruption or other crimes. Any action that undermines the integrity and trustworthiness of an institution can have a long-lasting and detrimental impact on business.

In other words, mitigating risk is not just a regulatory obligation, but is also smart business practice. 

Protecting your organization

In spite of noble efforts at standardization, inconsistencies in data, formats, accessibility, and reporting persist, complicating efforts to identify and verify beneficial owners. Due diligence is also time consuming – particularly when compliance teams must source and compile information manually from various reports across jurisdictions.

Collaboration among regulators, law enforcement, financial institutions, and technology firms to develop an easily accessible single registry of UBOs that harmonizes data and reporting formats can help prevent bad actors from misusing the financial ecosystem. However, until this is a truly workable reality across jurisdictions, a strong offense is your best defense. 

To identify UBOs like our fictitious Ken Brown who have no red flags or adverse media, consider these actions:

Cast a wide net – Embrace searches on social media, the dark web, and other online and off-line sources to identify adverse media and the broadest range of relationships possible.

Connect the dots – Use the latest technology to mine unstructured data to identify suspicious activity and hidden links to potential bad actors. Perform entity resolution on beneficial owners that may be serving as a proxy for a criminal.

Incorporate ongoing monitoring – Ensure UBO checks are done on a regular basis to stay on top of ownership changes and evolving regulatory requirements.

Train and retrain – Provide ongoing training to analysts to identify unusual account activity, questionable ownership, and suspicious relationships. 

Embrace a risk-based approach to KYC – Use risk management solutions to quickly and efficiently check UBO data against internal thresholds of high-risk countries, individuals, and business sectors. 

As loopholes close, bad actors will search for other vulnerabilities in the financial infrastructure that will enable them to mask their identity and activities. Willing UBOs that can fly under the radar of AML/KYC checks might very well become a new lifeline.  

Protect your organization with proven risk and compliance solutions from LexisNexis® Risk Solutions.